A Russian hacker has pleaded guilty to playing a major role in building the infamous Ebury botnet, which helped to fraudulently generate millions of dollars.

Maxim Senakh, 41, of Velikii Novgorod, pleaded guilty on Tuesday to conspiracy to violate the Computer Fraud and Abuse Act and to commit wire fraud.

Along with co-conspirators, Senakh is said to have helped develop the Ebury malware, which targeted the log-ins of servers running Solaris, Linux and similar Unix-like operating systems.

It’s a rootkit/backdoor Trojan designed to steal SSH log-in credentials from incoming and outgoing SSH connections.

They then combined these remotely controlled servers into a botnet, monetizing it via click fraud and spam campaigns, according to the Department of Justice.

The scams apparently compromised tens of thousands of servers around the world and earned Senakh and his co-conspirators millions of dollars in the process.

“As part of the plea, Senakh admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure and personally profited from traffic generated by the Ebury botnet,” noted the DoJ.

The Ebury malware leaped to notoriety in 2011 when it was used to hack the Linux Kernel...

The FBI is warning of an concerted effort on the part of cyber-criminals to target medical and dental facilities via their File Transfer Protocol (FTP) servers.

Criminals are accessing protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass and blackmail business owners. The Feds said that the Bureau is aware of criminal actors who are actively targeting such facilities via insecure FTPs that are operating in “anonymous” mode.

“Research conducted by the University of Michigan in 2015 titled, ‘FTP: The Forgotten Cloud,’ indicated over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers,” the FBI said in its alert. “The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or email address.”

While computer security researchers are actively seeking FTP servers in anonymous mode to conduct legitimate research, cyber-criminals could also use an FTP server in anonymous mode and configured to allow “write” access to store malicious tools or launch targeted cyberattacks.

“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Hong Kong might just have experienced its biggest ever data breach after the personal details of the Special Administrative Region (SAR)’s 3.7 million voters were stolen on two laptops.

The details are said to have included ID card numbers, addresses and mobile phone numbers.

They were stored on two laptops in a locked room at the AsiaWorld-Expo conference center near the airport.

The center is said to be the “back-up venue” for the region’s chief executive elections, which took place over the weekend.

The Registration and Electoral Office has reported the theft to police and told the South China Morning Post that the details of voters were encrypted – although it’s unclear how strong that encryption is.

It’s also unclear why the details of 3.7m voters were stored on the laptops when only an Election Committee of 1194 specially chosen business and political leaders is allowed to pick Hong Kong’s CEO.

The SAR’s privacy watchdog said in a statement that it is launching an investigation into the matter.

Over a three-year period from 2013 to 2016, the privacy commissioner’s office is said to have received 253 data breach notifications.

Eduard Meelhuysen, EMEA boss at Bitglass, argued that public sector breaches stand out as particularly concerning.

"Whether it’s the NHS or the Hong Kong Registration and Electoral Office, these organizations...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

To avoid a lawsuit, your company needs to better understand the state of your infrastructure and the devices and applications within it. Here are five areas on which to focus.

The number of devices with IP connectivity continues to grow at a breakneck pace. In the next few years, it's expected that we'll see tens of billions of devices with some sort of networking ability.

The problem is that the number of skilled security professionals available for organizations to monitor and manage these devices will not scale to match. There just aren't enough people in the world to actively monitor all the bits flowing through networks.

It's not a hopeless battle, but organizations need to take steps to better understand the state of their infrastructure and the devices and applications within it. When the next Mirai-style attack occurs, you can bet there will be a team of lawyers ready to hold somebody responsible for their company's resulting loss of revenue, data, and reputation.

Take e-commerce as an example: When a retailer's website goes down for a couple of hours, it loses millions of dollars in sales and take a hit in customer trust. If the company discovers hundreds of hijacked Internet of Things (IoT) devices on your organization's network were partially responsible for its loss, a lawsuit will follow....

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Enterprise security teams and penetration testers now have a new tool for evaluating the risks posed to their networks from Internet of Things (IoT) devices that are operating on radio frequencies outside the standard 802.11 specification.

Rapid7, the owner of the Metasplot Project, has released an extension to its recently introduced Hardware Bridge API for conducting pen tests on network-connected hardware.

The new RFTransceiver extension for the Metasploit Hardware Bridge is designed to let organizations identify and assess the security state of multi-frequency wireless devices operating on their networks more effectively than current tools permit.

The RFTransceiver gives security pros the ability to craft and monitor different RF packets for identifying and accessing a company’s wireless systems beyond Ethernet-accessible technologies, said Craig Smith, a research lead at Rapid7 in a blog post.

It allows pen testers to create and direct “short bursts of interference” at such devices to see how they respond from a security standpoint.

Many organizations already have devices and systems operating on radio frequencies outside 802.11 on their networks. Examples include RFID readers, smart lighting systems using the Zigbee communication protocol and network-enabled alarm, surveillance, and door control systems.

The RFTransceiver extension is designed to help organizations with such devices answer vital questions, such as the operating range of the devices, whether they are encrypted, how they respond to outside interference, and how they fail.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Ordering a DDoS attack has become as easy as ordering the latest bestseller from Amazon—and can offer incredible return on investment for the attacker.

According to Kaspersky Lab, DDoS-for-hire services are generally self-service, eliminating the need for direct contact between the organizer and the customer. Customers can make payments, get reports on work done and so on, all online. In fact, Kaspersky said that the order page “looks more like the web page of an IT startup than a cybercriminal operation.”

“These web services are fully functional web applications that allow registered customers to manage their balance and plan their DDoS attack budget,” the firm said in a blog posting. “Some developers even offer bonus points for each attack conducted using their service. In other words, cybercriminals have their own loyalty and customer service programs.”

But lowering the barrier to entry doesn’t stop there—it’s also incredibly cheap to carry attacks out these days. One DDoS service advertised on a Russian public forum offers attacks from $50 per day, for instance.

Kaspersky did a review of the Dark Web to find out the going rate for DDoS as-a-service, and found the average to be slightly higher than the example above—attacks typically cost $25 per hour, with the cyber-criminals making a profit of about $18 for every hour of an attack.

The security specialist also found that organizers of DDoS services generally offer customers a tariff plan in which the buyer pays a per-second rental price for botnet capacity. For example, a DDoS attack of 300 seconds using a botnet with a total bandwidth of 125Gbps will cost about between $5 and $6.

As for profitability, it should be noted that DDoS attacks and, in particular, ransomware DDoS have already turned into a high-margin business. “The profitability of one attack can exceed 95%,” the firm noted. “And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire. All the above suggests that the average cost of DDoS attacks in the near future will only fall, while their frequency will increase.”...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Colleagues and friends are mourning the sudden death of distinguished antivirus industry veteran Raimund Genes last Friday.

Genes, 54, chief technology officer at Trend Micro, began as a distributor before joining the antivirus firm in the early days of the industry back in 1996. He served with distinction in a variety of senior business development and technology roles for the last 30 years.

I interviewed Genes for El Reg several times and found him to be technically knowledgable and a clear communicator, an antidote to the FUD and hyperbole sometimes found elsewhere. He'll be missed, especially by his family.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

The CERBER family of ransomware has been found to have adopted a new technique to make itself harder to detect: it is now using a new loader that appears to be designed to evade detection by machine learning solutions. This loader is designed to hollow out a normal process where the code of CERBER is instead run.

X contains the loader, as well as various configuration settings. The loader has features that check if it is running in a virtual machine (VM), if it is running in a sandbox, if certain analysis tools are running on the machine, or if certain AV products are present. If any of these checks fail, the malware stops running. The lists below highlight the specific tools and products this software checks for:

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Until now, as the researchers claim they've built “a high-throughput covert channel [that] can sustain transmission rates of more than 45 KBps on Amazon EC2”. They've even encrypted it: the technique establishes a TCP network within the cache and transmits data using SSH.

The results sound scarily impressive: a Black Hat Asia session detailing their work promised to peer into a host's cache and stream video from VM to VM.

The paper explains that this stuff is not entirely new, but has hitherto also not been entirely successful because it's been assumed that “error-correcting code can be directly applied, and the assumption that noise effectively eliminates covert channels.”

The authors knock both of those arguments over, the first by figuring out a way to handle errors and the second with a method of scheduling communication between two VMs...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret.

Unfortunately, they know Contoso's impenetrable network defenses will detect commands sent to their malware.

To avoid detection, they have to send data through a channel not monitored by the company's IT security system, the Hyper IronGuard WallShield 2300, with its "military-grade" two-ply data leakage protection technology.

They consider several potential covert transmission techniques – inaudible sound, modulated light, even thermal manipulation of hardware – but none of these appear to be practical given their budgetary limitations and modest intellects.

Then one member of the three-person group recalls hearing about a security paper, "Oops!...I think I scanned a malware" [PDF], published earlier in March by researchers from two Israeli universities, Ben-Gurion University of the Negev and...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

In the fourth quarter of 2016, about 30% of all malware was classified in new research as “zero day,” as in, it was not caught by legacy antivirus solutions.

WatchGuard Technologies’ inaugural Quarterly Internet Security Report postulates that the finding indicates that cybercriminals’ capability to automatically repack or morph their malware has outpaced the AV industry’s ability to keep up with new signatures.

The study also uncovered a theme of old threats becoming new again. First, the results show that macro-based malware is still very prevalent. Despite being an old trick, many spear-phishing attempts still include documents with malicious macros, and attackers have adapted their tricks to include Microsoft’s new document format. Second, attackers still use malicious web shells to hijack web servers. PHP shells are alive and well, as nation-state attackers have been evolving this old attack technique with new obfuscation methods.

JavaScript is a popular malware delivery and obfuscation mechanism. The results indicate a rise in malicious JavaScript in the fourth quarter, both in email and over the web.

The report meanwhile found that most network attacks target web services and browsers. In fact, 73% of the top attacks target web browsers in drive-by download attacks.

Interestingly, the top network attack, Wscript.shell Remote Code Execution, almost entirely affected Germany alone. Breaking it down country by country, that attack targeted Germany 99% of the time...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago.

The buffer overflow bug can be exploited to inject malicious code into a vulnerable machine and execute it, allowing an attacker to gain control of the computer. It requires WebDAV to be enabled. If you have such a machine exposed to or reachable from the internet, and you get hacked, maybe you deserve it.

On Monday, details of the vulnerability and proof-of-concept exploit code were published on GitHub: the code is attributed to "Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China.

"Apparently, the "buffer overflow in the ScStoragePathFromUrl function in the WebDAV service" was "exploited in the wild in July or August 2016."

Shodan.io – a search engine for internet-facing devices – has found hundreds of thousands of servers still using IIS 6.0, and about 20,000 machines using Windows Server 2003. Not all of them will be exploitable. In any case, Microsoft has indicated it won't fix the bug.

"This issue does not affect currently supported versions," a spokesperson told The Reg. "We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection."

The vulnerability in the IIS WebDAV component allows an attacker to run code remotely...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

A new type of ransomware dubbed WYSIWYE (What You See Is What You Encrypt) has been detected by researchers at PandaLabs.

As explained in a post on the firm’s website, the standard ransomware technique cyber-crooks employ is to gain access to a computer and then imply execute the corresponding malware automatically to start encryption and ultimately display the ransom message.

However, in an analysis of a recent intrusion, PandaLabs discovered a more personalized type of malware generator which allows attackers “the chance to customize the malware using a user-friendly interface prior to launching it. Making it even easier for those with little technical knowledge to target companies.

Usually ransomware has its own configuration, it only has to be executed and it will work in the same way everywhere,” Luis Corrons, PandaLabs technical director, Panda Security, told Infosecurity. “This one is designed for more custom attacks, mainly in corporate networks. In all cases we have studied (talking about this particular attack) attackers are gaining access to the different corporate networks after a brute-force attack against the remote desktop connection. Then they manually drop the ransomware, run it and can configure it in different ways depending on each victim, carefully picking what they want to encrypt.”

According to Corrons, this shows how cyber-criminals are evolving and changing...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Twitter has been hit with a minor data breach incident that the social networking site believes linked to a suspected state-sponsored attack.

In a blog post published on Monday, Twitter revealed that while investigating a vulnerability affecting one of its support forms, the company discovered evidence of the bug being misused to access and steal users’ exposed information.

The impacted support form in question was used by account holders to contact Twitter about issues with their account.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

A VPN is often touted as a basic piece of any mobile device security plan. But when the chosen VPN turns out to be not just ineffective but actively working against your security, the user is left both vulnerable and betrayed.

Researchers at Trend Micro have singled out HolaVPN, a free "community VPN," for using customer computers and devices as exit points for spam, phishing messages, and worse. The "worse" is especially important at businesses where employees have downloaded the HolaVPN software. In those cases, HolaVPN could provide a gateway into the enterprise network for malicious software of many varieties.

Community VPNs are those in which the users' computers and devices provide exit points for other users in exchange for low- or no-cost services.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

As with previous attacks, organizations in the Middle East appear to be main targets, Symantec says.

Organizations in the United Arab Emirates and Saudi Arabia are once again being targeted in a new wave of attacks involving Shamoon, a malware strain that was used to destroy more than 30,000 PCs at oil giant Saudi Aramco in 2012.

The latest attacks come after a two-year lull and are doubly destructive since they include a new component, Filerase, for erasing files on an infected system before Shamoon wipes the master boot record clean, Symantec states in a report. The addition of Filerase makes it almost impossible for victims to recover data from impacted systems, the security vendor notes.

Based on a breach disclosure from Italian oil services firm Saipam, the new Shamoon attacks appear to...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

Iranian cyberattackers are stepping up their game after US President Donald Trump re-enforced severe economic sanctions on the country last month, the AP reports. Much of the cyber espionage activity targets American officials who make sure the sanctions stay in place.

Cerfta, a cybersecurity organization based in London, has been tracking the activity of threat group Charming Kitten and its recent campaign of phishing attacks – the most common threat among Iranian state-backed groups. The AP reports Charming Kitten has been attempting to hack email accounts of US Treasury members,

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro. Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection.

The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter...

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov

SandboxEscaper is the same researcher who previously publicly dropped exploits for two Windows zero-day vulnerabilities, leaving all Windows users vulnerable to the hackers until Microsoft patched them.

The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” - Boris Sharov